Part 2: PIPL and GDPR Compliance Obligations on Cross-Border Transfers of Personal Information

Inform data subjects of the name and contact information of overseas recipients, processing purposes and means, the types of personal information to be transferred overseas, and the means and procedures for data subjects to exercise their rights under the PIPL against the overseas recipients.^[3]  

Inform data subjects pursuant to Articles 13 and 14 of the GDPR, which include information such as:

• The recipients or categories of recipients of the personal data.
• The fact that the controller intends to transfer personal data to a third country or international organization.
• The purpose(s) of the processing.

Obtain separate consent from the data subjects.^[4]  

The GDPR provides for a two-stage approach to personal information “processing,” in contrast to third-country personal information “transfer.”

First stage: Basic principles of the GDPR must always be observed when personal information is processed (regardless of a transfer to a third country).

Second stage: Only in the case of a cross-border data transfer to a third country must organizations ensure that one of the described transfer mechanisms (adequacy decision, appropriate safeguards or derogations for specific situations) is applicable.

As such, in the second stage, data subjects’ consent must be obtained for cross-border data transfers only when organizations can’t base the transfer on an adequacy decision or appropriate safeguards but must use consent as a derogation for specific circumstances.

Conduct an internal personal information protection impact assessment^[5] prior to the cross-border transfer of personal information (an ex-ante self-assessment similar to the Data Protection Impact Assessment under the GDPR), and keep the assessment reports and the records of the processing activities for at least three years.^[6]

The PIPL requires personal information processors to assess the following factors when conducting the personal information protection impact assessment:

• Whether the processing purposes and means are lawful, legitimate and necessary.
• Impacts and security risks on the rights and interest of individuals.
• Whether the security measures adopted are lawful, efficient and in proportionate to the risk exposure.^[7]

However, the PIPL doesn’t provide further details on how personal information processors must carry out the above personal information protection impact assessment in practice. China published a non-legally binding national standard (the GB/T 39335 – 2020 Information Security Technology – Guidance for Personal Information Security Impact Assessment^[8]), which provides detailed practical guidance on the above security assessment. However, considering that the national standard was released before the enactment of the PIPL and includes a specific carve out for cross-border transfer of personal information, the national standard may only serve as a reference.

The October 2021 release of the draft Security Assessment Measures for Cross-Border Data Transfer (Draft Security Assessment Measures) further complicates the above analysis. Under the draft security review measures, all personal information processors, regardless whether they are subject to the mandatory security assessment administered by the Cyberspace Administration of China (CAC), must carry out a “self-assessment” prior to their cross-border transfer of personal information.^[9] This requirement appears to overlap with the personal information protection impact assessment required under Article 55 of the PIPL, but the Draft Security Assessment Measures are silent on how these potential overlapping requirements may be reconciled.

Under the Draft Security Assessment Measures, when conducting the self-assessment, the following factors shall be assessed:

• The lawfulness, legitimacy, and necessity of the purpose, scope and means of the cross-border transfer and the processing activities by overseas recipients.
• The amount, scope, types and sensitivity of the data to be transferred, and the risks of the transfer posed to national security, public interest and legitimate rights and interests of individuals or organizations.
• Whether the organizational and technical measures and capability of the personal information processor can prevent data leakage and destruction at the data transmission stage.
• Whether the obligations and responsibilities assumed by overseas recipients and the corresponding organizational and technical measures and capability of overseas recipients to perform the undertakings could ensure the security of the data transferred outside China.
• The risks of leakage, destruction, distortion or abuse after the data is transferred overseas and onward transferred, and whether convenient channels are available for individuals to exercise their personal information rights.
• Whether the contract between the personal information processor and the overseas recipient has sufficiently specified the obligations and responsibilities with respect to data security.^[10]  

Under the GDPR, if the transfer is based on appropriate safeguards – for example, standard contract clauses (SCCs) – data exporters and data importers must also take into account the Schrems II judgment, where the Court of Justice of the European Union found that data exporters do need to perform an assessment of the third country to which they are transferring the information to determine if they provide a level of protection essentially equivalent to that guaranteed in the EU. If there are issues with the level of protection, the data exporter will need to establish if there are supplementary measures that can be applied along with the SCCs to maintain the level of protection.^[11] If this isn’t possible, the data exporter will need to suspend or end the transfer.

Thus, similar to the ex-ante self-assessment under the PIPL, European organizations must conduct a data transfer impact assessment (DTIA) before they can use SCCs to transfer information to a third country. This requires organizations to conduct a case-by-case assessment and, at a minimum, consider the following:

• What’s the type and sensitivity of the personal information?
• Who will be able to process the personal information?
• What technical measures are used to protect the personal information?
• Which national laws apply in that jurisdiction, and how are they exercised in practice and in relation to a particular personal data transfer?

DTIAs require a more comprehensive and flexible risk assessment rather than narrowly focusing on the third country’s data protection laws, and they need to be monitored on an ongoing basis and updated in light of any changes in the laws of the third country. Thus, organizations must dedicate even more resources to GDPR compliance and their data transfer mapping.  

Under the PIPL, should any foreign organizations or individuals conduct personal information processing activities “infringing Chinese citizens’ rights and interests related to personal information,” or “endangering China’s national security or public interest,” the CAC may place such foreign organizations or individuals on a publicly available list – and take measures to restrict or prohibit personal information processors from transferring personal information to them.^[12] Therefore, before transferring personal information to recipients outside of China, personal information processors must ensure that the overseas recipients aren’t on the “blacklist” issued by the CAC. (So far, the CAC hasn’t published such a list.)

Moreover, should any countries or regions act in a discriminatory or restrictive manner against China with respect to personal information protection, the PIPL states that China may take “corresponding measures” against such countries or regions.^[13] It is unclear how the Chinese government plans to enforce such a provision.

N/A